[00:00.000 --> 00:06.080]  And then they're halfway into the first question before it actually connects.
[00:07.020 --> 00:10.180]  There we go.
[00:11.240 --> 00:12.260]  Nope.
[00:16.240 --> 00:21.680]  Ella Punk, would you holler at our SpeakerUps channel saying we're going live?
[00:22.360 --> 00:23.520]  Gotcha.
[00:23.520 --> 00:24.980]  Thank you.
[00:28.200 --> 00:30.280]  Gotta find the channel.
[00:30.320 --> 00:31.420]  Yeah.
[00:32.800 --> 00:36.080]  One of many, many, many, many, many channels.
[00:38.600 --> 00:39.420]  Got it.
[00:39.620 --> 00:42.740]  Hey, cool. We're live.
[00:42.780 --> 00:47.460]  So, welcome everyone. I want to thank everybody for coming to join.
[00:47.480 --> 00:52.760]  We're sitting here with Cooper. What's your last name, Cooper? I had it up here somewhere.
[00:52.760 --> 00:53.320]  Quinton.
[00:53.320 --> 00:54.600]  Cooper Quinton.
[00:55.080 --> 00:55.700]  Yes.
[00:55.700 --> 01:01.960]  All right. His presentation was Detecting Fake 4G Base Stations in Real Time.
[01:02.400 --> 01:08.140]  So, thank you so much for taking the time and effort to put together this DEF CON Talk.
[01:08.300 --> 01:14.640]  We're in this brave new world where we all get to do things virtually, so thank you very much.
[01:15.160 --> 01:16.800]  Yeah, thanks for having me.
[01:17.000 --> 01:18.060]  Absolutely.
[01:18.300 --> 01:21.960]  So, we've had a few questions come in already.
[01:22.720 --> 01:33.620]  We'll just get you started with this first one from RPTK2015, who has been watching, I think, all of the talks as we've been going through this.
[01:33.620 --> 01:34.520]  Question.
[01:34.700 --> 01:41.300]  If I can see that I'm connected to a fake cell ID, what can I do? Should I just stop using the internet?
[01:42.800 --> 01:47.280]  Yeah, that's a great question, and I'll answer it in a couple of parts.
[01:48.380 --> 01:53.280]  The first thing I'll answer is that if you think that you are connected to...
[01:54.940 --> 02:01.920]  If you're in a situation where you might be worried about a cell site simulator, the best thing you can do is just put your phone on airplane mode.
[02:02.080 --> 02:07.860]  And that's always a good idea if you're at a protest or if you're committing a crime.
[02:07.860 --> 02:09.280]  This is not legal advice.
[02:10.220 --> 02:17.820]  But if you're doing anything where you don't want to be tracked by your phone, the best thing you can do is just put it in airplane mode.
[02:18.540 --> 02:26.360]  The question, though, of if you see that you're connected to a rogue cell ID, you're usually not going to see that.
[02:26.440 --> 02:36.680]  The unfortunate thing about how phones work is that it's actually really hard to tell if you're connected to a cell site simulator.
[02:36.680 --> 02:39.640]  And so you're usually not going to know.
[02:40.740 --> 02:50.040]  And a lot of the things that cell site simulators do are similar to the things that cell networks do when they enter failure modes.
[02:50.040 --> 02:55.960]  So like when an eNodeB crashes or when there's too many people connected to a cell.
[02:56.140 --> 03:04.180]  So you're likely not going to know, but if you do have that concern, yeah, just put your phone in airplane mode.
[03:04.180 --> 03:07.780]  And leave it in that until you need to send a text or something.
[03:08.480 --> 03:15.200]  Airplane mode. All right. So there's been a lot of conversation in the past about airplane mode doesn't protect you from a lot of stuff.
[03:15.200 --> 03:21.820]  Are we thinking that this is still going to be good enough? Or is this your situation if you don't bring your phone with you?
[03:23.520 --> 03:30.760]  So, I mean, it depends. I think it depends on your risk model, right? It depends what you are concerned about.
[03:31.480 --> 03:36.960]  I think airplane mode is going to be good enough for most cases and situations.
[03:37.800 --> 03:43.180]  Because not bringing your phone with you means you can't take pictures of whatever's going on.
[03:43.180 --> 03:46.980]  It means that you can't make calls. It means you can't call your friends.
[03:46.980 --> 03:49.620]  It means you can't call anybody if you're about to get arrested.
[03:50.300 --> 03:54.660]  I don't know, like, again, I don't know what situation you're planning on taking this out.
[03:54.940 --> 03:58.920]  But I think airplane mode is good enough for most cases.
[03:58.920 --> 04:08.660]  And yeah, if you really have high security needs, if you don't want to be displaying any weird patterns of travel,
[04:08.660 --> 04:11.780]  like, yeah, leave your phone at home and leave it on, right?
[04:12.680 --> 04:15.500]  Then it looks like you're just sitting around at home doing nothing.
[04:15.500 --> 04:18.480]  So, again, not legal advice.
[04:19.960 --> 04:23.560]  You know, we had a follow-up that I think a lot of people would find true.
[04:23.560 --> 04:25.820]  So I'm interested in what you have to say.
[04:25.820 --> 04:30.560]  Does a VPN offer any protection from a cell site simulator?
[04:30.560 --> 04:32.860]  And also, what does it not protect against?
[04:32.860 --> 04:36.780]  For example, GPS data or exploits in pre-authentication messages?
[04:37.820 --> 04:39.920]  That's a really great question.
[04:40.300 --> 04:45.220]  Yes, exactly. It does not protect against those two things.
[04:45.220 --> 04:47.480]  It doesn't protect against GPS data.
[04:47.480 --> 04:50.980]  It doesn't protect against exploits in pre-authentication messages,
[04:50.980 --> 04:54.420]  which is where most cell site simulators happen in the first place.
[04:54.420 --> 04:58.940]  And actually, there was a really... there was a great talk at Black Hat
[04:58.940 --> 05:03.700]  and a really good paper that's out, and I can try to find the link and post it somewhere later,
[05:04.740 --> 05:10.400]  about... so the attack is called... I think it's called ALTER.
[05:10.960 --> 05:13.200]  Yeah, well, so there's... no, okay, so there's two attacks.
[05:13.200 --> 05:15.820]  One is called A-L-T-E-R, ALTER.
[05:15.820 --> 05:18.780]  And then the other attack is called...
[05:19.620 --> 05:21.260]  Shit, I forgot the name.
[05:21.860 --> 05:25.320]  And there's another attack, and these are two attacks that allow you in the...
[05:25.320 --> 05:29.580]  that allow a malicious actor in the pre-authentication stage
[05:29.580 --> 05:37.800]  to manipulate DNS queries being sent to the tower to send back fake...
[05:39.660 --> 05:44.740]  or to send back fake answers, like to send back malicious DNS answers, right?
[05:44.920 --> 05:47.280]  Responses. So there's...
[05:48.380 --> 05:54.280]  Sorry, so to answer the question, like, a VPN might...
[05:55.040 --> 05:59.820]  like, it might protect against some eavesdropping attacks,
[05:59.820 --> 06:01.680]  but I don't think it's going to be good enough.
[06:01.680 --> 06:06.340]  But the other thing is that it seems like, at least in the US,
[06:06.340 --> 06:13.140]  the primary usage for cell-side simulators is to determine who is in a specific place,
[06:13.140 --> 06:15.540]  or in other words, what phones are in a specific place,
[06:15.540 --> 06:21.540]  or to locate a suspect, or to locate somebody, like,
[06:21.540 --> 06:25.980]  down to what apartment they're in, or down to, you know, what building, right?
[06:26.080 --> 06:34.600]  And neither of those attacks rely on looking at the person's or people's internet traffic.
[06:34.600 --> 06:37.500]  They only rely on looking at signals being sent from the phone,
[06:37.500 --> 06:39.720]  and a VPN won't do anything about that.
[06:40.640 --> 06:43.680]  Interesting. That makes sense.
[06:43.680 --> 06:47.240]  So there are some things that you can protect yourself with in this way.
[06:47.240 --> 06:52.180]  There are some things that are outside the scope of your research in this case.
[06:52.700 --> 06:53.540]  Yeah.
[06:53.780 --> 06:59.220]  Well, the natural follow-up question from that is usually one I ask quite a bit further,
[06:59.220 --> 07:02.960]  but then, what's next in this research space?
[07:02.960 --> 07:09.340]  And if you had more time or money, what could you have done to expand this?
[07:10.020 --> 07:12.060]  Yeah, that's a great question.
[07:12.060 --> 07:23.980]  So the thing I would love to have is transmission data.
[07:23.980 --> 07:27.460]  So I mentioned in my talk that, like, we can't actually connect to the tower,
[07:27.460 --> 07:29.820]  and we can't actually transmit things.
[07:29.820 --> 07:33.980]  We can't actually, like, send authentication messages to the tower
[07:33.980 --> 07:35.460]  and see how it responds.
[07:35.540 --> 07:37.540]  We can't look at paging messages, etc.
[07:37.540 --> 07:46.160]  But if we were able to gain access to licensed hardware,
[07:46.160 --> 07:49.760]  like a licensed 4G baseband and program it ourselves,
[07:49.760 --> 07:52.380]  or gain access to lower-level messages,
[07:52.380 --> 07:54.720]  then it's possible that we could do that.
[07:54.720 --> 07:57.940]  And that would be an amazing thing to do.
[07:57.940 --> 07:59.840]  I think the other thing I would like to do in the future
[08:00.540 --> 08:05.060]  is get better heuristics involved in Crocodile Hunters.
[08:05.060 --> 08:07.420]  So the heuristics that Crocodile Hunter uses right now
[08:07.420 --> 08:10.060]  to determine what's a suspicious tower or not,
[08:11.640 --> 08:13.900]  they're kind of my first pass at that.
[08:13.900 --> 08:20.740]  And I think that once we know more about what malicious cell towers look like in the wild,
[08:20.740 --> 08:26.880]  we'll be able to get better heuristics to have less false positives
[08:27.780 --> 08:29.740]  in what's suspicious and what's not.
[08:29.740 --> 08:33.740]  I don't want to stomp all over the wonderful people putting stuff in chat over here,
[08:33.740 --> 08:36.920]  but that is my next follow-up question if it's right into there.
[08:38.300 --> 08:41.860]  There are people out here with a lot of time and effort and energy
[08:41.860 --> 08:44.860]  and want to get involved in projects.
[08:44.860 --> 08:47.880]  If somebody wants to get involved in this project,
[08:47.880 --> 08:52.580]  if they build your rig and are doing this,
[08:52.580 --> 08:54.240]  do you want their data?
[08:54.240 --> 08:56.920]  Is data from other people helpful?
[08:56.920 --> 08:58.600]  How can people assist?
[08:59.480 --> 09:03.240]  Yeah, data from other people is absolutely helpful.
[09:03.240 --> 09:07.660]  And there's actually an API built into Crocodile Hunter
[09:07.660 --> 09:10.240]  to allow you to send your data back to us.
[09:10.600 --> 09:14.240]  And there's documentation on that in the GitHub repository.
[09:15.900 --> 09:21.080]  But yeah, if you go do scans, even if you don't find anything,
[09:21.080 --> 09:23.280]  having that data is super helpful.
[09:25.660 --> 09:28.460]  Yeah, so please go ahead and send it to us.
[09:28.460 --> 09:31.980]  And please go ahead and get involved on the GitHub
[09:31.980 --> 09:34.880]  and file bugs and pull requests and stuff.
[09:35.120 --> 09:38.720]  We'll probably eventually set up a chat server somewhere
[09:38.720 --> 09:41.220]  if the project seems popular enough.
[09:42.500 --> 09:45.600]  A specific question here, specific to an area,
[09:45.600 --> 09:47.040]  so Latin America.
[09:47.040 --> 09:52.120]  Can you talk about the fake antenna detection project?
[09:53.240 --> 09:59.540]  Yeah, so I don't want to put words in their mouth too much.
[09:59.540 --> 10:00.720]  They have a website.
[10:01.960 --> 10:05.960]  I think it's fadeprojects.org.
[10:05.960 --> 10:10.160]  Maybe one of you can confirm that real quick.
[10:10.620 --> 10:12.940]  Or I'll post it later.
[10:13.160 --> 10:14.300]  So they have a website.
[10:14.300 --> 10:16.220]  I don't want to put too many words in their mouth,
[10:16.220 --> 10:20.120]  but basically this is a group of technologists,
[10:20.200 --> 10:24.700]  a group of hackers that are in various countries in Latin America.
[10:24.740 --> 10:30.060]  And they had previously done fake antenna detection with Seaglass,
[10:30.060 --> 10:32.720]  which is a similar project out of the University of Washington,
[10:32.720 --> 10:34.620]  but focused on 2G towers.
[10:34.940 --> 10:39.080]  And they found some really interesting results in Mexico City
[10:39.080 --> 10:44.980]  and I think in Colombia, if I recall.
[10:45.220 --> 10:47.880]  So they found some really interesting results in a few different places.
[10:47.880 --> 10:51.360]  And they're just doing this to see what they can find
[10:51.360 --> 10:55.440]  and to see how widespread the problem of CSS is in Latin America.
[10:55.520 --> 10:59.240]  And they're planning on doing this with Crocodile Hunter,
[10:59.240 --> 11:00.960]  doing the same research, but next with...
[11:00.960 --> 11:02.240]  Great.
[11:02.420 --> 11:08.060]  You get to see where it takes you when you're traveling in other countries.
[11:08.400 --> 11:10.960]  Yeah, I'm really excited to see what they find.
[11:11.160 --> 11:13.740]  Probably some interesting questions as well is
[11:13.740 --> 11:18.760]  what's allowed on the Send-Receive if you are in non-US countries?
[11:21.420 --> 11:24.000]  I am not an international lawyer.
[11:24.000 --> 11:25.580]  I'm not even a national lawyer.
[11:25.580 --> 11:27.140]  I'm not any type of lawyer.
[11:27.140 --> 11:30.100]  So I cannot speak to that.
[11:30.100 --> 11:34.480]  If you are curious about that, you should ask a lawyer in your country
[11:35.400 --> 11:37.920]  as to what's allowed for Send-Receive.
[11:37.920 --> 11:39.800]  Because it varies from country to country.
[11:39.800 --> 11:40.540]  It does.
[11:40.580 --> 11:45.500]  We were looking at doing this in some Middle Eastern countries
[11:45.500 --> 11:50.980]  and the laws there wouldn't even allow us to receive packets from a cell tower.
[11:53.120 --> 11:53.640]  So...
[11:54.700 --> 11:58.780]  There's a bunch of questions that I saw here that I'd be interested to learn a little bit more.
[11:58.780 --> 12:03.400]  You mentioned briefly in your talk that 5G handles pre-authentication.
[12:03.400 --> 12:04.460]  I can't speak today.
[12:04.460 --> 12:05.740]  Pre-authentication.
[12:06.460 --> 12:07.540]  Thank you.
[12:07.540 --> 12:08.820]  This never happened.
[12:08.880 --> 12:11.180]  Messages similar to 4G.
[12:11.180 --> 12:17.320]  Do you suspect nearly identical cell site simulator techniques will carry over from 4G to 5G?
[12:17.320 --> 12:18.260]  Cut to it.
[12:21.080 --> 12:23.080]  Awesome. Awesome.
[12:23.260 --> 12:26.240]  Yeah, unfortunately I do.
[12:26.240 --> 12:32.740]  A lot of the... almost all of the attacks that work against 4G still work against 5G.
[12:32.740 --> 12:34.180]  There have been...
[12:35.240 --> 12:39.940]  There have been some mitigations put in place in the standard.
[12:39.940 --> 12:46.600]  But unfortunately a lot of those mitigations are marked as optional in the standard.
[12:46.600 --> 12:52.890]  And anything marked as optional means that the phone companies are absolutely not going to do it.
[12:53.820 --> 12:58.060]  Because they want to spend as little money as possible.
[12:58.140 --> 12:59.280]  As little effort as possible.
[12:59.280 --> 13:02.100]  Because phone companies are a giant pile of shit.
[13:02.700 --> 13:03.280]  So...
[13:06.920 --> 13:13.500]  So I don't expect that those mitigations will make their way into actual deployment.
[13:13.500 --> 13:20.260]  And I think that a lot of the same techniques that you see in 4G are going to still work in 5G.
[13:21.040 --> 13:22.740]  Alright, that's good to know.
[13:22.900 --> 13:27.580]  I had another question that I think more just shows my ignorance in the subject.
[13:28.000 --> 13:33.500]  So the kit that you've built in order to do the hardware on this one is...
[13:34.660 --> 13:38.220]  What, $500 for the radio?
[13:38.220 --> 13:41.580]  And you've got a Raspberry Pi, which is relatively inexpensive.
[13:41.580 --> 13:44.160]  And you're carrying around a laptop and all this.
[13:44.580 --> 13:48.580]  The question that comes to mind on this is...
[13:50.460 --> 13:55.900]  We all carry around a cell phone that already talks to these devices.
[13:56.600 --> 14:01.580]  Can cell phones themselves be modified to do any of this work?
[14:02.040 --> 14:04.280]  Yeah, so that's a great question.
[14:04.280 --> 14:06.740]  And I would love it if they could.
[14:08.120 --> 14:10.520]  I have not found a good way to do that.
[14:10.520 --> 14:15.160]  So we can't do this in a native app.
[14:15.200 --> 14:17.460]  Because for two reasons.
[14:17.460 --> 14:19.760]  A, we don't get enough low-level data.
[14:19.820 --> 14:25.400]  And B, we're only going to see the cells that the phone is actually connecting to.
[14:25.440 --> 14:28.340]  And the neighbor list of cells that the phone is actually connecting to.
[14:28.340 --> 14:30.720]  And I want to see all of the cells.
[14:30.720 --> 14:33.600]  I want to be war-driving 5G towers.
[14:33.800 --> 14:38.460]  Not just looking at what the cell phone wants to connect to.
[14:39.320 --> 14:41.640]  And then the other thing is, there's no way...
[14:41.640 --> 14:46.760]  There's no API for the baseband, right?
[14:46.760 --> 14:49.560]  And there's no...
[14:50.460 --> 14:55.240]  I mean, the closest thing to an open-source baseband is in SRS LTE.
[14:55.580 --> 15:00.020]  There's no open-source baseband, programmable baseband,
[15:00.020 --> 15:03.200]  that runs on an actual licensed 4G chip.
[15:03.200 --> 15:07.820]  And that's the open-source LTE library?
[15:08.540 --> 15:11.380]  Yeah, sorry. So that's the open-source LTE.
[15:11.380 --> 15:15.540]  SRS LTE is the open-source LTE library that we use in the backend of Crocodile Hunter
[15:15.540 --> 15:20.800]  to actually emulate part of the user equipment,
[15:20.800 --> 15:24.940]  to emulate part of the cell phone, and scan the frequencies
[15:24.940 --> 15:28.400]  and get the information blocks that we need.
[15:28.660 --> 15:29.140]  Gotcha.
[15:29.600 --> 15:33.260]  So we are essentially emulating the cell phone,
[15:33.260 --> 15:37.080]  doing part of what a cell phone does, but we're not doing it on cell phone hardware.
[15:37.080 --> 15:39.460]  And it would be great if we could do that on cell phone hardware,
[15:39.460 --> 15:44.460]  but I don't think that that currently exists.
[15:46.160 --> 15:48.180]  But it's a good idea.
[15:51.900 --> 15:54.780]  So Seaglass, the Seaglass project from the University of Washington
[15:54.780 --> 15:57.860]  that I was talking about earlier, is doing that on a phone
[15:57.860 --> 16:01.700]  using the Osmocom baseband for 2G or GSM.
[16:02.060 --> 16:07.060]  So that does exist for GSM, it just doesn't exist for LTE.
[16:07.560 --> 16:08.280]  Okay.
[16:08.460 --> 16:11.500]  But it is a good idea, and if and when it does exist for LTE,
[16:11.500 --> 16:17.480]  it would be great to rebuild Crocodile Hunter using that.
[16:17.840 --> 16:20.980]  So you're barking up the right tree there, for sure.
[16:23.520 --> 16:25.460]  What else do we have coming in, LL Bunk?
[16:25.460 --> 16:28.000]  I can't believe I just used the phrase, barking up the right tree.
[16:28.000 --> 16:28.940]  Yeah, you did.
[16:30.320 --> 16:32.660]  This is a very laid-back Q&A.
[16:32.940 --> 16:34.520]  Back to the alcohol.
[16:35.540 --> 16:37.800]  And a coffee cup, well done.
[16:38.600 --> 16:40.740]  Alright, so next question.
[16:42.380 --> 16:47.220]  You mentioned turning off 2G could help.
[16:47.220 --> 16:51.160]  Do you know of any progress to create and enable this feature?
[16:57.790 --> 17:00.760]  I think that there are people within these companies
[17:00.760 --> 17:03.060]  that really want to see this happen.
[17:03.060 --> 17:11.340]  But I think it's going to be an ongoing battle.
[17:11.760 --> 17:22.060]  I think that the manufacturers, the OS manufacturers,
[17:22.060 --> 17:26.310]  Samsung, Apple, will need to see that there is a consumer demand for it.
[17:27.510 --> 17:33.890]  And they're still not likely to turn 2G off completely or even by default
[17:33.890 --> 17:39.930]  because it is still used by so many people around the world, unfortunately.
[17:39.930 --> 17:44.350]  But even getting a toggle to turn it off, if that's a concern, would be great.
[17:44.350 --> 17:47.570]  But I think that even though there are people within the companies
[17:47.570 --> 17:49.130]  that really want to see this happen,
[17:49.130 --> 17:51.970]  I think the people at the top of those companies
[17:51.970 --> 17:55.010]  need to see consumer demand for it to really make it a priority.
[17:56.110 --> 17:58.510]  It's probably a deal all over the place.
[17:59.690 --> 18:02.690]  The consumer needs to understand that this is the thing that they want
[18:02.690 --> 18:04.770]  before they know how to ask for it.
[18:04.890 --> 18:06.430]  Yeah, exactly.
[18:08.150 --> 18:09.950]  Another follow-up is...
[18:12.190 --> 18:15.830]  I lost my thing on here. I'm just doing horrible today, guys. Sorry.
[18:16.490 --> 18:17.090]  Oh, no.
[18:17.710 --> 18:18.890]  It's the day.
[18:19.290 --> 18:23.270]  With disposable phones and burner phones being so readily available,
[18:23.270 --> 18:26.010]  why not buy one of those and give it a try?
[18:29.270 --> 18:33.930]  Yeah. I mean, again, I'd say it depends what your threat model is.
[18:35.830 --> 18:39.050]  Burner phones are really hard to do properly.
[18:40.250 --> 18:42.650]  There's a lot of things you've got to take into account.
[18:42.650 --> 18:45.750]  If you want to actually use a burner phone,
[18:45.750 --> 18:49.070]  you have to be able to actually buy it anonymously.
[18:49.070 --> 18:51.910]  You have to call people that you normally call on it.
[18:51.910 --> 18:54.850]  You have to stop using it afterwards.
[18:54.850 --> 18:56.310]  There's a lot there.
[18:56.430 --> 19:00.370]  Battery has to come out and in at the right place and time.
[19:00.770 --> 19:01.950]  Yeah, exactly.
[19:04.470 --> 19:08.110]  Even though it's cheap to buy cell phones these days,
[19:08.110 --> 19:12.350]  it's still not actually, I don't think, trivial to set up a burner phone.
[19:14.290 --> 19:17.050]  Again, it depends on what your threat model is.
[19:17.050 --> 19:24.550]  If you just don't want the law enforcement agency in your country to know you're at a protest,
[19:24.550 --> 19:26.790]  I would just put your phone in a lane.
[19:27.410 --> 19:31.150]  If you really need to be making calls during that protest,
[19:31.150 --> 19:34.030]  but you really don't want them to know you're there,
[19:34.030 --> 19:36.590]  I mean, your chief worry should not be MC catchers.
[19:36.590 --> 19:38.210]  It should be not getting arrested.
[19:39.110 --> 19:40.270]  It's not...
[19:40.270 --> 19:52.870]  I think that MC catchers should actually be fairly far down on your list of threats if you're going to a protest.
[19:52.870 --> 19:58.930]  And at the top of that should be tear gas and cops beating the shit out of you.
[20:02.130 --> 20:03.090]  It's not...
[20:05.090 --> 20:07.510]  And then several other things,
[20:07.510 --> 20:11.510]  like the police taking your phone and doing a forensic analysis of it after you get arrested,
[20:11.510 --> 20:13.310]  and then MC catchers.
[20:13.770 --> 20:15.550]  So, I don't know.
[20:16.570 --> 20:20.470]  I think using a burner phone is over-engineering the solution there.
[20:20.470 --> 20:23.170]  I think you should just put your phone in airplane mode.
[20:23.530 --> 20:26.110]  Or if you really need to be doing a lot of comms,
[20:26.110 --> 20:31.690]  but you need to be anonymous, then think about that.
[20:31.690 --> 20:35.330]  But also think about facial recognition and also make sure tattoos are covered up.
[20:35.330 --> 20:37.290]  Make sure you don't have hair.
[20:39.090 --> 20:42.370]  Make sure that nobody can find your t-shirt on Etsy.
[20:42.770 --> 20:43.470]  Exactly.
[20:43.670 --> 20:46.270]  Make sure you're not wearing a custom mask.
[20:47.530 --> 20:50.010]  I know we're kind of coming up to the end.
[20:50.010 --> 20:51.550]  We still have more time.
[20:51.550 --> 20:53.390]  But a great one is,
[20:53.390 --> 20:58.150]  any suggestions on research avenues for others looking to build off this project on?
[20:58.150 --> 21:02.550]  Most of this project in the past seems to be around 2G and 3G-based.
[21:02.550 --> 21:06.450]  So, it would be great to see a project catching up to the latest protocols.
[21:06.950 --> 21:08.930]  So, that is what we're doing.
[21:10.630 --> 21:13.090]  That is, in fact, the whole point of the project,
[21:13.090 --> 21:16.970]  is that all the past research has been focused on 2G and 3G,
[21:16.970 --> 21:18.990]  and we're specifically focused on 4G
[21:18.990 --> 21:24.190]  and what the latest iterations of cell-sizing motors like the Hailstorm and the Crossbow.
[21:24.390 --> 21:27.090]  I think what they're asking specifically is how they can give back,
[21:27.090 --> 21:28.610]  you know, research more on their own.
[21:28.670 --> 21:32.130]  Sorry, I misunderstood.
[21:33.250 --> 21:35.390]  Yep, that was the talk.
[21:36.510 --> 21:38.590]  Yeah, so how you can give back.
[21:41.150 --> 21:45.290]  Like, we would love people to get involved with the project, right?
[21:46.910 --> 21:53.410]  We have theories about how these things work based on our research,
[21:53.410 --> 21:55.370]  based on reading the academic papers, right?
[21:55.370 --> 21:57.670]  And again, a big shout-out to Yamna.
[21:58.830 --> 22:02.950]  Me and her spent two years reading all of the academic papers.
[22:02.950 --> 22:05.610]  A lot.
[22:10.270 --> 22:12.410]  You're probably back. We had some cutouts.
[22:12.410 --> 22:14.470]  Okay. Oh, sorry.
[22:14.470 --> 22:17.850]  Yeah, so me and Yamna spent a long time reading all...
[22:17.850 --> 22:23.730]  Yamna wrote a really excellent paper detailing all that we know about the 4G.
[22:24.670 --> 22:28.970]  And yeah, I mean, but, you know, further research, right?
[22:28.970 --> 22:32.270]  And, you know, new theories about how they might work.
[22:32.270 --> 22:34.330]  I mean, FOIA requests, right?
[22:34.570 --> 22:40.350]  There was a really excellent set of manuals for the Stingray, right?
[22:40.350 --> 22:48.310]  And if somebody did a similar FOIA request and got manuals for the Hailstorm hospital, like, yeah, that would be excellent.
[22:48.830 --> 22:54.730]  Well, this is a fantastic time for us to put in here a couple of bits.
[22:54.730 --> 22:56.530]  So you work for the EFF.
[22:57.070 --> 23:06.270]  Everybody here should know what the EFF is, but if you are brand new to the InfoSec community, give us just a blurb on the EFF.
[23:06.930 --> 23:16.750]  Sure. So EFF, or the Electronic Frontier Foundation, is an organization that defends civil liberties as they intersect with technology.
[23:16.830 --> 23:20.050]  Or as we say, when you get online, your rights come with you.
[23:20.050 --> 23:29.490]  You don't lose your rights, you don't lose your human rights, you don't lose your civil liberties, freedom of speech, the right to privacy, free expression, just because you're working with technology.
[23:29.490 --> 23:41.390]  And so we defend that, and we defend that through a combination of legal strategy, grassroots activism, and technology, like what I work.
[23:42.090 --> 23:49.010]  So we've been doing this for 30 years now. 30 years this year. We started in 1990.
[23:49.250 --> 24:00.650]  And our first case was defending Steve Jackson Games when they had put out a pen and paper RPG called Cyberpunk, which the FBI decided was a manual for hacking.
[24:00.650 --> 24:04.530]  And they raided Steve Jackson Games and took all of their copies of Cyberpunk.
[24:04.530 --> 24:13.090]  We were teaching kids how to hack, and we defended them and got their books back because this is a clear freedom of speech issue.
[24:13.450 --> 24:17.170]  And so that was our first case, and we've been taking on cases ever since then.
[24:17.570 --> 24:27.110]  So I work specifically in EFF Threat Lab. Well, I guess you watched my talk where I talked pretty extensively about that, so I won't dig into the EFF Threat Lab.
[24:27.110 --> 24:37.550]  But that's what EFF is. We're a non-profit. We're member-supported. Over half of our annual budget comes from individual donations from our members, members like you.
[24:38.230 --> 24:44.850]  Well, Cooper, if I had a little bit of extra money and I wanted to give it to the EFF, how would I do that?
[24:45.410 --> 24:59.910]  Yeah, so you can buy EFF swag here at DEF CON. In fact, we even have a special DEF CON Safe Mode EFF shirt that you can only buy during Safe Mode. You can buy it right now.
[25:00.170 --> 25:12.690]  And that's at our website, EFF.org. And I think there's a donate link up there. There's a shop link up there. You can go find all of our branded swag and all of our DEF CON swag.
[25:12.690 --> 25:24.710]  Or you can just donate us money directly from there if you like. We're also taking donations in Zcash, I think, during DEF CON. So if you want to donate truly anonymously, you can donate to us through that.
[25:24.810 --> 25:33.610]  I have no idea how that works, but you can drop into the vendors channel and message the EFF account and set you up.
[25:34.790 --> 25:44.270]  I also heard a little bit that you are involved in some other things at DEF CON here. So would you like to talk a little bit about what you have going on later on?
[25:44.270 --> 26:04.450]  Yeah, I am. So at 5 o'clock tonight, 1700 Vegas time, we're running the EFF Tech Trivia event. So I will be the quiz master.
[26:05.130 --> 26:25.910]  And we will be asking trivia questions. You can sign up for a team right now if you go to the Discord channel under Contests and Events. It's EFF Triv. And you can sign up for a team and we'll ask a bunch of questions and the winning teams will get some free EFF swag.
[26:25.910 --> 26:45.450]  Great. Alright, so I'm sure that with all of the stuff that you've been talking about here, there are people who are interested in reaching out and doing more of this work with you. So we'll have you at the end here post whatever sort of contact information you would like for people to reach out to you with.
[26:45.830 --> 26:48.810]  Yeah, do you want me to post that in the Talks channel?
[26:48.810 --> 27:04.250]  Sure, we'll put that in the Talks channel. And yeah, if there's anybody who has one additional question that you'd like to hit or if... Ella Punk, did you find anything? Are you sitting on something? Maybe.
[27:04.690 --> 27:13.550]  Maybe. I was having so much fun listening to that. So I did post links for the shirt and more information on EFF in the group chat.
[27:13.910 --> 27:15.450]  Awesome. Thank you, Ella Punk.
[27:15.450 --> 27:24.530]  So do you have a final call to action for the people who are listening here? Something you would like them to take away?
[27:25.890 --> 27:44.170]  I do. My final call to action is just to get involved with what's going on in your local communities. As hackers, there's a lot we can do. There's a lot of problems that we can solve in our smart hackers way. And we don't always have to solve it through making a new app.
[27:44.170 --> 28:04.850]  A lot of people working in your community just need help setting up a mailing list, right? Or just need help setting up a simple static website, right? But there's also more creative problems to solve. Like I think the thing about using leaf blowers to blow away tear gas is very much in the hacker spirit, right? It's such a great thing to see.
[28:04.850 --> 28:14.150]  So I think that there's a lot of ways to get involved. You can also get involved with other EFF-minded people in your community by checking out the Electronic Frontier Alliance.
[28:14.170 --> 28:30.950]  Which is a group of EFF-affiliated subchapters in the local region. This is sort of the way to act locally. And you can check that out at EFF.org slash EFA.
[28:31.450 --> 28:40.130]  And the perfect question to end on here is, is all the project documentation on GitHub or any information about a paper being published?
[28:40.130 --> 28:58.470]  Yeah, all the project documentation. I have not published a paper. I hate writing. So I may publish a paper eventually, but all of the documentation such as it is, which, boy, open source and documentation, it's always great, right?
[28:59.010 --> 29:13.030]  But yeah, most of the documentation is in my head. The documentation that exists is on the GitHub, and I'm happy to answer questions. And I'm happy to take it upon myself to improve the documentation that people are actually using this.
[29:13.250 --> 29:15.850]  That's where you're sharing all of your spreadsheets, huh?
[29:16.590 --> 29:17.310]  Yes.
[29:17.490 --> 29:18.870]  All right.
[29:18.870 --> 29:20.770]  Yep. Hacking is just spreadsheets.
[29:20.770 --> 29:42.350]  Thank you, everyone, for coming to join. This was a wonderful presentation. I appreciate your willingness to come spend your time with us. So if anyone has additional questions, we will make sure that the contact information is available here in the track one. Otherwise, have a great rest of your convention, and we hope to see more from you soon.
[29:43.090 --> 29:44.830]  Thanks. Bye, everybody.
[29:44.830 --> 29:45.190]  Bye.
